Hacking (Noob question) How was the code for the boot sequence observed before A9LH?

M

martyjake

Active Member
OP
Newcomer
Level 2
Joined
Jun 16, 2016
Messages
36
Trophies
0
Age
29
XP
130
Country
Canada
I'm trying to learn more about hardware hacking and vulnerabilities and I've always wondered, how did people observe the code that the 3DS runs when it boots before they found an exploit?
 
Ryccardo

Ryccardo

Penguin accelerator
Member
Level 17
Joined
Feb 13, 2015
Messages
7,696
Trophies
1
Age
28
Location
Imola
XP
6,922
Country
Italy
If you mean the bootroms, there's no alternative to dumping them (which was done over a year ago by certain famous people)

If you mean the secret sector (required for decrypting N3DS kernels), the contents were effectively leaked by security deficiencies in, iirc, the kernels themselves

All installable titles are encrypted with keys coming from variable combinations of: the kernel, the bootrom, the OTP, the movable.sed, the nand CID, etc -- but while, without all of those sources, it's impossible to get the actual keys themselves, you can use a hacked console (that can normally decrypt your object of interest, for example you legally bought a digital game with) to decrypt that object without necessarily having direct access to the keys involved (for example, dumping titlekeys)

The above is how pretty much any encryption/decryption had to be done until most people got access to the bootrom = B9S release, since most of the keys come in part from the bootrom

While still comparatively unpopular, it's now possible to do most of those jobs on a PC, at an appropriately increased speed!
 
D

Deleted User

Guest
Before a9lh there was menuhax and spider/mset which gave userland access to the kernel with 9.2,which was the golden firmware at the time and let you to boot into the kernel from userland acess before it was patched on newer firmwares after 9.2.Then once we got into downgrading and all with hardmodding,I guess that was when a9lh (access to the arm9 boot rom) was in the works and eventually we found out how to dump the otp which are the keys needed.
 
M

martyjake

Active Member
OP
Newcomer
Level 2
Joined
Jun 16, 2016
Messages
36
Trophies
0
Age
29
XP
130
Country
Canada
Ryccardo said:
If you mean the bootroms, there's no alternative to dumping them (which was done over a year ago by certain famous people)

If you mean the secret sector (required for decrypting N3DS kernels), the contents were effectively leaked by security deficiencies in, iirc, the kernels themselves

All installable titles are encrypted with keys coming from variable combinations of: the kernel, the bootrom, the OTP, the movable.sed, the nand CID, etc -- but while, without all of those sources, it's impossible to get the actual keys themselves, you can use a hacked console (that can normally decrypt your object of interest, for example you legally bought a digital game with) to decrypt that object without necessarily having direct access to the keys involved (for example, dumping titlekeys)

The above is how pretty much any encryption/decryption had to be done until most people got access to the bootrom = B9S release, since most of the keys come in part from the bootrom

While still comparatively unpopular, it's now possible to do most of those jobs on a PC, at an appropriately increased speed!
Click to expand...

In order to develop an exploit you need to observe and study the code that is being run, right? Then how this code was able to be decrypted in the first place without a key?
 
Ryccardo

Ryccardo

Penguin accelerator
Member
Level 17
Joined
Feb 13, 2015
Messages
7,696
Trophies
1
Age
28
Location
Imola
XP
6,922
Country
Italy
martyjake said:
In order to develop an exploit you need to observe and study the code that is being run, right?
Click to expand...
The usual way to realize an exploit even exists is to blindly feed an application invalid data (hacked saves, too long of a description in the case of the mset exploit, non-level QRs for Cubic Ninja...) and see how it reacts (ignores it, rejects it, crashes and quits, crashes and freezes or does weird stuff) - then you need to figure out if the crash is exploitable (ie if it can be controlled by changing the data you feed it and/or "external" factors)

Then yes, having an accurate emulator with debugger can help, but if you don't have them, you can still try blindly (while maximizing your luck - for example, if you can supply arbitrary data through your hacked save to memory at addresses 500 through 600, and the crash jumps to a random address between 400 and 550, you can have an exploit with 1/3 chance of success if you put your payload after 550, and fill 500-550 with "do nothing, just proceed to next instruction")

(To figure out the above numbers without a debugger, it would be trial and error, yep)
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking Homebrew  A new way to experience StreetPass

Hacking Hardware  New Nintendo 3DS XL Louvre

Hardware  Why does my 3DS take so long to turn off?

What's the best 3DS emulator (especially after Citra's shutdown)?

Tutorial  How to fix 007-2001

can't download system files on citra because im "not connected to the internet"

gacube emeleter

So what's the current state of hacking and freeshop?

General chit-chat
Help Users
    Psionic Roshambo @ Psionic Roshambo: I'll pick Wario, Samus, Captain Falcon and Nester